diff --git a/pkg/driver_cryptocell_310/psa_cryptocell_310/ecc_common.c b/pkg/driver_cryptocell_310/psa_cryptocell_310/ecc_common.c index 235d9b599f..7be3318a91 100644 --- a/pkg/driver_cryptocell_310/psa_cryptocell_310/ecc_common.c +++ b/pkg/driver_cryptocell_310/psa_cryptocell_310/ecc_common.c @@ -21,6 +21,7 @@ #include "psa_error.h" #include "psa_cryptocell_310_ecc_common.h" #include "cryptocell_310_util.h" +#include "string_utils.h" #define ENABLE_DEBUG 0 #include "debug.h" @@ -67,6 +68,7 @@ psa_status_t cryptocell_310_common_ecc_generate_key_pair(uint8_t *priv_key_buffe return CRYS_to_psa_error(ret); } + explicit_bzero(&priv_key, sizeof(priv_key)); return PSA_SUCCESS; } @@ -89,7 +91,7 @@ psa_status_t cryptocell_310_common_ecc_sign(const uint8_t *priv_key, ret = CRYS_ECPKI_BuildPrivKey(pDomain, priv_key, priv_key_size, &user_priv_key); if (ret != CRYS_OK) { DEBUG("CRYS_ECPKI_BuildPrivKey failed with %s\n", cryptocell310_status_to_humanly_readable(ret)); - return CRYS_to_psa_error(ret); + goto done; } cryptocell_310_enable(); @@ -99,10 +101,12 @@ psa_status_t cryptocell_310_common_ecc_sign(const uint8_t *priv_key, cryptocell_310_disable(); if (ret != CRYS_OK) { DEBUG("CRYS_ECDSA_Sign failed with %s\n", cryptocell310_status_to_humanly_readable(ret)); - return CRYS_to_psa_error(ret); + goto done; } - return PSA_SUCCESS; +done: + explicit_bzero(&user_priv_key, sizeof(user_priv_key)); + return CRYS_to_psa_error(ret); } psa_status_t cryptocell_310_common_ecc_verify(const uint8_t *pub_key, diff --git a/pkg/driver_cryptocell_310/psa_cryptocell_310/ecc_ed25519.c b/pkg/driver_cryptocell_310/psa_cryptocell_310/ecc_ed25519.c index 946356f266..4e27eca3c2 100644 --- a/pkg/driver_cryptocell_310/psa_cryptocell_310/ecc_ed25519.c +++ b/pkg/driver_cryptocell_310/psa_cryptocell_310/ecc_ed25519.c @@ -21,6 +21,7 @@ #include "crys_ec_edw_api.h" #include "psa_error.h" #include "cryptocell_310_util.h" +#include "string_utils.h" #define ENABLE_DEBUG 0 #include "debug.h" @@ -49,13 +50,15 @@ psa_status_t psa_generate_ecc_ed25519_key_pair( uint8_t *priv_key_buffer, cryptocell_310_disable(); if (ret != CRYS_OK) { DEBUG("CRYS_ECEDW_KeyPair failed with %s\n", cryptocell310_status_to_humanly_readable(ret)); - return CRYS_to_psa_error(ret); + goto done; } memcpy(priv_key_buffer, secret_key, CRYS_ECEDW_ORD_SIZE_IN_BYTES); memcpy(pub_key_buffer, &secret_key[CRYS_ECEDW_ORD_SIZE_IN_BYTES], CRYS_ECEDW_MOD_SIZE_IN_BYTES); - return PSA_SUCCESS; +done: + explicit_bzero(&secret_key, sizeof(secret_key)); + return CRYS_to_psa_error(ret); } psa_status_t psa_ecc_ed25519_sign_message(const uint8_t *priv_key_buffer, @@ -91,10 +94,12 @@ psa_status_t psa_ecc_ed25519_sign_message(const uint8_t *priv_key_buffer, cryptocell_310_disable(); if (ret != CRYS_OK) { DEBUG("CRYS_ECEDW_Sign failed with %s\n", cryptocell310_status_to_humanly_readable(ret)); - return CRYS_to_psa_error(ret); + goto done; } - return PSA_SUCCESS; +done: + explicit_bzero(&secret_key, sizeof(secret_key)); + return CRYS_to_psa_error(ret); (void)signature_size; } diff --git a/pkg/driver_cryptocell_310/psa_cryptocell_310/error_conversion.c b/pkg/driver_cryptocell_310/psa_cryptocell_310/error_conversion.c index 4b8b596b55..418694b185 100644 --- a/pkg/driver_cryptocell_310/psa_cryptocell_310/error_conversion.c +++ b/pkg/driver_cryptocell_310/psa_cryptocell_310/error_conversion.c @@ -23,6 +23,8 @@ psa_status_t CRYS_to_psa_error(CRYSError_t error) { switch (error) { + case CRYS_OK: + return PSA_SUCCESS; case CRYS_HASH_ILLEGAL_OPERATION_MODE_ERROR: case CRYS_HASH_IS_NOT_SUPPORTED: return PSA_ERROR_NOT_SUPPORTED;